Regulatory obligations

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​All critical infrastructure asset owners, operators, and direct interest holders must meet their legal obligations under the Security of Critical Infrastructure Act 2018 (the SOCI Act). The obligations that apply to your business will depend on the kind of critical infrastructure asset that you own, operate, or have a direct interest in.

These obligations seek to make risk management, preparedness, prevention and resilience business as usual for the owners and operators of critical infrastructure assets. They will also improve information exchange between industry and government to build a more comprehensive understanding of the national threat environment.

The obligations that you must meet will depend on whether you are a responsible entity or a direct interest holder for an asset.

Responsible entities own or operate the asset. Each asset class includes their own specific definition for a responsible entity in their sector. The responsible entity for each asset class is defined in section 12L of the SOCI Act. They must provide operational information in relation to the asset.

A direct interest holder is an entity (e.g. individual, company or trust) that holds either:

  • a direct or joint interest of at least 10% in the asset, together with any associates
  • an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

For more information about what a critical infrastructure asset is, go to our page on the Security of Critical Infrastructure Act 2018 (SOCI).

If you are not sure whether these obligations apply to your critical infrastructure asset, read our Critical Infrastructure Asset Class Definition Guidance​.

Obligation to notify data service providers

Entities must notify external data service providers if they are storing or processing business critical data for a critical i​​​nfrastructure asset. This ensures that companies that handle sensitive data are aware that they may also have obligations under the SOCI Act. It will also ensure that they treat the security of the data appropriately.

This obligation applies to all critical infrastructure assets.

For more information on how this obligation might apply to you, read the Obligation to notify data storage or processing providers Factsheet.

Positive security obligations

There are three primary security obligations which apply to most critical infrastructure assets.